Android, iPhone apps accessing sensitive data

The explosion of mobile apps on Apple iPhone and Google Android has generally been seen as a good thing but opening up our phones to these devices could lead to vulnerabilities and Lookout is trying to raise awareness of potential security threats.

The company, which makes security and backup software for Android, BlackBerry and Windows Mobile, will launch the App Genome Project later this week and this app data set will identify threats and inform customers what type of data apps are accessing. Some of the early statistics show:

29% of free applications on Android have the capability to access a user’s location, compared with 33% of free applications on iPhone Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%) 47% of free Android apps include third party code, while that number is 23% on iPhone

Lookout said the vulnerabilities don’t have to come from malicious programmers, as lazy ones can be just as harmful. For example, the company said some Android developers were inadvertently releasing user location data into logs that could be accessed by other programs. This vulnerability has been fixed in Android 2.2, or Froyo, but that software is not widely available yet.

If smartphones are truly going to make desktops irrelevant in a few years, then we are bound to see more viruses and security threats. Luckily, the smartphone operating systems have been designed in ways to limit the damage that some third-party apps can do (sand boxes, kill switches, approval processes) but I think it is only a matter of time before we see a widespread vulnerability cause some damage.

As the largest smartphone platform, Symbian has already been targeted by malicious programmers but it will be fascinating to see how a company like Apple or Google responds to a serious threat.

You do realize that these are all the same things that the Lookout application accesses right? But we can trust them, because they only use it to monitor what other apps have access to and upload it to their servers and aggregate it for marketing purposes like this. Mobile security as theatre, these guys are going to get eaten alive at Blackhat.

asdfasd

site checking

kdarling

My rule of thumb: never trust a report put out by a company that sells security software.